The Privacy Act 1988 (the Privacy Act) establishes the Federal legislative framework overseeing the collection and processing of private information relating to individuals in Australia. Whether information is subject to the Privacy Act depends on whether that information meets the definition of personal information.
What is personal information?
Personal information is currently defined under section 6(1) of the Privacy Act as information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not or recorded in material form or not.
Sensitive information and health information are also defined as subsets of personal information and are subject to additional privacy protections compared with other types of personal information.
Common examples of personal information provided by the Office of the Australian Information Commissioner, the government regulator of the Privacy Act, include an individual’s name, signature, address, telephone number, date of birth, medical records, bank account details and employment details; as well as commentary or opinion about an individual.
Personal information refers to information about living individuals and not deceased individuals.
About an individual
The current definition of Personal Information requires the relevant information or opinion to be about an individual.
The phrase “about an individual” was considered by the Full Federal Court on Appeal from the Administrative Appeals Tribunal in the 2017 case of Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4. In the majority judgement it was said:
“The words “about an individual” direct attention to the need for the individual to be a subject matter of the information or opinion… Information and opinions can have multiple subject matters… even if a single piece of information is not “about an individual” it might be about the individual when combined with other information… in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.”
Reasonably identifiable
The Australian Privacy Principles Guidelines issued by the Office of the Australian Information Commissioner indicate that whether a person is “reasonably identifiable” from certain information will depend on a number of factors, including:
- the nature and amount of the information;
- the circumstances of its receipt;
- who will have access to the information;
- other information either held by or available to the person or entity holding the information;
- whether it is possible for the person or entity that holds the information to identify the individual; and
- if the information is publicly released, whether a reasonable member of the public who accesses that information would be able to identify the individual.
For example, a full name and birthdate of an individual together would constitute personal information. However, a birthdate alone generally would not be personal information if it is collected, provided or stored in isolation and is not combined or associated with any other information about the person to whom it relates, so that the individual cannot be identified from the birthdate.
De-identified information is not personal information
Personal information that has been de-identified currently is not personal information. Personal information is de-identified if that information is modified so that it is no longer about an identifiable individual or an individual who is reasonably identifiable.
Is business information personal information?
Generally, business information is not considered personal information as it is not about an individual. Therefore, information such as a business name, business address and primary business contact details (such as general business email and phone number) would not be considered personal information and this information would not be subject to the Privacy Act.
However, specific contact details of individual employees of a business (such as their direct email address and direct phone number) can fall within the scope of personal information. This is because an individual’s work email address and contact details would be categorised as personal information about that individual. This applies even if the specific employee’s direct contact details are publicly available (for example, on the business website).
Just because information is public does not mean it is not personal information.
Reforms to the definition of personal information
The Australian government is currently undertaking the Privacy Act review. As part of this review the definition of personal information is being considered to determine if an expanded definition of personal information is required. In particular, the following questions are under consideration:
- What approaches should be considered to ensure the Privacy Act protects an appropriate range of technical information?
- Should the definition of personal information be updated to expressly include inferred personal information?
- Should there be additional protections in relation to de-identified, anonymised and pseudonymised information? If so, what should these be?
- Are any other changes required to the Privacy Act to provide greater clarity around what information is personal information?
The review is still underway. However, on 16 February 2023 the Australian government released its Privacy Act Review Report outlining its proposals for reform. The proposals were out for public consultation until 31 March 2023. On the topic of personal information, the Report proposes to broaden the current definition of personal information, so it applies to personal information that “relates to” an individual. The purpose of this change will make it clear that personal information extends to technical and inferred information, such as IP addresses, device identifiers, location data and other online identifiers. This change would bring the terminology and practice into line with the EU’s General Data Protection Regulation and other federal legislation such as the Consumer Data Right.
In addition, the Report proposes to bring de-identified information within the ambit of the Privacy Act as it acknowledges there is a risk that de-identified information can be re-identified and should therefore be afforded some protection. For example, one proposal is to extend Australian Privacy Principal 11 to de-identified information. This would require an APP entity to take reasonable steps to protect de-identified information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Further, it is proposed that re-identification of de-identified information collected in a de-identified state should be prohibited. These are big changes proposed to the current position where an organisation has full discretion in how it manages and uses de-identified information.
With the consultation process still ongoing and no legislative amendments proposed to date, there is still some time before such changes are actually implemented. Nevertheless, consider taking the time to assess how this potential change to the definition of personal information and approach to de-identified information might impact your business.
Keep watching this space and we will keep you updated on the reforms proposed by the Report. For further information on the reforms more generally you can consider our earlier update here.
Final thoughts
It may be obvious whether information is “personal information” that is subject to the Privacy Act in a lot of cases. However, there may be circumstances in which it is not entirely clear, depending on the particular nature of the information or how it is collected, stored or treated.
Our team of privacy and data protection experts regularly assist businesses to meet their privacy obligations around collection and use of personal information. Please feel free to contact us if you have any questions about whether the information you collect or process is “personal information” that is subject to the Privacy Act, if you need any assistance to better understand or meet your compliance obligations under the Privacy Act or if you require advice on the reforms proposed by the Privacy Act review.
Note that this article is not intended to provide legal advice or offer comprehensive guidance.
